Blockchain for Data Protection: A Double-edged Sword or a Techno-regulatory Oxymoron?

In January 2018, at the Eleventh Annual International Conference on Computers, Privacy and Data Protection (the “Conference”) in Brussels, one panel that made some headlines centered around blockchain technology in the context of data protection. The core inquiry of the panel was two-fold: (1) whether blockchain technology can facilitate data protection regulatory objectives and (2) whether the same technology makes it more difficult to enforce data protection laws. Unsurprisingly, neither inquiry produces a clear-cut answer.

On the one hand, blockchain technology could potentially advance the “privacy-by-design-and-default” principle promulgated by the E.U.’s General Data Protection Regulation (“GDPR”), which comes into force on May 25, 2018. But on the other hand, some of the technology’s signature features (i.e., immutability and irreversibility) raise concerns related to the dual principles of (1) data minimization and (2) the right to be forgotten, which underpin those same regulations. The inquiry is further muddied by the fact that (1) this discussion speculates about the compliance potential of a distributed technology in light of regulations that are designed with centralization in mind, and (2) not all blockchains are created equal—in fact, while they can be grouped into broad categories (for example, public vs. private), the analysis must always be done on a case-by-case basis.

Explaining Blockchain in Data Protection Jargon. As a preliminary matter, let’s explain why blockchain technology would even fall within the purview of data protection regulations. Since GDPR is currently considered the gold-standard in this realm, we will look to it for key metrics of analysis. Under the GDPR, data protection rules apply only if an entity processes identified or identifiable personal data—that is, data relating to a living natural person. Article 29 Working Party explained in its Opinion 05/2014 (WP 2016) that anonymized data (i.e., that which irreversibly prevents identification) is not subject to data protection rules—not pseudonymized data. In a public blockchain environment, every transaction carried out by a particular user is linked to the same encrypted public key. In blockchains where the public key is published, however, the same unreadable hash links the transactions to a particular user, and IP addresses or other metadata could make the user identifiable, thus putting these blockchains within the scope of GDPR. On the other hand, a blockchain such as Hyperledger, one implementation of which is designed to track products or materials in supply chain would not fall within the regulatory scope because there is no concern related to personal data.

Self-sovereign Identity as the Ultimate Solution for Privacy-by-design? One central tenet of the GDPR is the principle of privacy-by-design, whereby systems are set-up to promote privacy and data protection compliance objectives from the start. Blockchain technology was designed, in this sense, to ensure data integrity by being resistant against data corruption. It was also designed to be breach-proof, by moving from a centralized database model with a single point of failure to a distributed scheme. As one Conference panelist noted, blockchain technology also enables new forms of information sharing whereby parties to a transaction do not need to reveal any more information about themselves than is absolutely necessary for that particular transaction. For instance, in the context of credential management, individuals can disclose personal data to a trusted authority who would be responsible for issuing attestations of particular attributes (e.g., citizenship, age, address), without the need to have the underlying personal data being transferred every time. This could help comply with or take a particular transaction outside the scope of GDPR’s strict cross-border data transfer rules (see GDPR Chapter V and recitals 6, 48, 101-103, 107, 110-115). As for other opportunities, another panelist noted that blockchain technology presents unique possibilities for GDPR compliance in the areas of (1) notarization of consent, (2) notification of usage of personal data, and (3) real time information sharing between a data controller and data processors. Taking this one step further, yet another panelist envisions a future where self-sovereign identity enabled by blockchain technology is the only way to be GDPR-compliant.

Can We Forget Immutable Data? The very potential of blockchain technology for ensuring data integrity—by being immutable and non-selective in its preservation—also poses challenges for compliance with key data protection principles. By capturing every transaction and making it publicly visible, the technology inevitably runs afoul of the principle of data minimization enshrined in GDPR Article 5. Because the information cannot be removed once it is recorded, blockchain technology also conflicts with the storage limitation principle. Moreover, Article 17 of the GDPR recognizes a right to be forgotten, or a right to erasure, as some call it. Under this principle, an individual is empowered to request the removal of personal data if it is no longer necessary in light of the original purpose for collection and processing, the data subject withdraws consent, and certain other requirements are met. At the end of the day, whether blockchain technology fundamentally conflicts with the right to be forgotten depends on what “erasure” means, and whether irreversible encryption, revocation of access rights (in smart contracts contexts), or other similar mechanisms could suffice.

Can Distributed Technology Thrive in the Age of Centralized Regulatory Scheme? As Deloitte recently observed, in light of the pressure to prepare for GDPR compliance, stakeholders have increasingly engaged in research to make blockchain mechanisms editable, and prototypes have already been developed in response to the needs of large financial institutions. The irony is apparent, at least with the current proposed prototypes: to maintain the immutability premise of the technology all while complying with data protection rules requires the authority to alter information on the chain to be conferred to a “trusted administrator.” In other words, short of having to rely on the consent of a majority of the nodes on the chain to create a new fork, in order for the distributed ledger to comply with the GDPR, the technology has to be reconfigured with a centralized patch. Does this mean that the GDPR is not as technology-neutral or agnostic as some might claim? Designed with notions of a centralized data governance model (i.e., cloud computing and data controller) and with ill-fitting applications for blockchain technology, query whether aspects of the GDPR have already become outdated before the Regulation enters into force on May 25, 2018.

Key Takeaways

Blockchain technology’s pseudonymization of personal data approach could bring it within the scope of data protection obligations under the GDPR and other similar regulations.

The technology’s immutable and distributed features present opportunities to advance the notion of privacy-by-design-and-by-default. These features could also be leveraged to circumvent the need to transfer personal data for purposes of authentication via a credential-granting mechanism, and make data protection rules inapplicable.

The same features, however, could also create challenges for the right to be forgotten and data minimization principles under the GDPR.

Stakeholders have identified a regulatory-compliant fix in centralizing the authority to edit information on certain blockchains. This and similar approaches could be perceived as threats to the core identity of the technology and begs the question of whether the GDPR and other similar data protection schemes are fundamentally incompatible with a decentralized technology like the blockchain.

Mr. Gesser is a partner in Davis Polk’s Litigation Department. He represents clients in a wide range of cybersecurity issues, including compliance with various cybersecurity regulations, cybersecurity governance issues, cloud migration, data minimization, and cybersecurity risk disclosures. Mr. Gesser also counsels companies who have experienced cyber events by coordinating with experts to conduct investigations; communicating with regulators, law enforcement, insurers and auditors; assessing various federal, state and international regulatory disclosure obligations; and representing the companies in related civil litigation and regulatory investigations. He previously served as the Counsel to the Chief of the Justice Department, Criminal Division’s Fraud Section and as the Deputy Director of the Justice Department, Criminal Division’s Deepwater Horizon Task Force. In addition to his full-time practice, Mr. Gesser is a frequent writer and commentator on cybersecurity issues. [Full Bio]

Mr. Kiviat is an associate in Davis Polk’s Corporate Department, practicing in the Investment Management Group. Since joining the firm in 2016, he has completed a rotation in the Mergers and Acquisitions Group. [Full Bio]

Attorney Advertising. Prior results do not guarantee a similar outcome.

Disclaimer

dpwcyberblog.com is a collection of informational products provided by Davis Polk & Wardwell LLP. In its capacity as provider of dpwcyberblog.com and its component parts, Davis Polk is acting as an information provider.

dpwcyberblog.com and its component parts do not constitute, and are not intended to constitute, legal advice with respect to any particular circumstance, do not create an attorney-client relationship with Davis Polk & Wardwell LLP or any of its associated entities and should not be relied on or treated as a substitute for specific advice relevant to particular circumstances. Davis Polk & Wardwell LLP shall not be liable for any loss that may arise from any reliance on dpwcyberblog.com or its component parts. If you have any comments or questions, please contact cyberblog@davispolk.com